David Hannum underestimated humanity greatly when he claimed a sucker was born every minute, we are now up to one every 15 seconds and accelerating. Online scammers continue doing what they are doing because it works, even those who should know better regularly share personal details online which make scammers lives much easier. It is not just those suspicious phone calls, texts or websites; many people's social media feeds are a cornucopia of personal information which allow scammers to profit off of your money. The problem is only getting worse, in the UK The Register reports that losses in 2015 were £755m, 26% more than 2014. A quick search reveals that the trend applies to the US as well.

You've heard it before and will hear it again, take a second to ask yourself if you really should be sharing what you are about to post before you send it.

"Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a card or account attacked, not an individual person."

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates. Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly. Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself. This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network. As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

In their infinite wisdom, Microsoft has disabled MJPEG and H.264 encoding on USB webcams for Skype in their Adversary Update to Windows 10, leaving only YUY2 encoding as your choice. The supposed reasoning behind this is to ensure that there is no duplication of encoding which could lead to poor performance; ironically the result of this change is poor performance for the majority of users such as Josh. Supposedly there will be a fix released some time in September but for now the only option is to roll back your AU installation, assuming you are not already past the 10 day deadline. You can thank Brad Sams over at Thurrott.com for getting to the bottom of the issue which has been plaguing users of Skype and pick up some more details on his post.

"Microsoft made a significant change with the release of Windows 10 and support for webcams that is causing serious problems for not only consumers but also the enterprise. The problem is that after installing the update, Windows no longer allows USB webcams to use MJPEG or H264 encoded streams and is only allowing YUY2 encoding."

At some point they may learn but obviously not yet as Lenovo's Accelerator support application opens two vulnerabilities for systems with the application installed. As it uses unencrypted transmissions during the update process and does not verify the application you receive you are vulnerable to man in the middle attacks. There are 6 notebooks and 25 desktop lines with this issue, although ThinkPads and ThinkStations are not on the list. If you have the software you should remove it immediately. More over at The Register.

With the lousy news below the fold, up to and including yet another StageFright exploit, here is a bit of amusing news to balance out the bad. A recently unleashed ransomware program seems to have been developed on stolen code and the original developer has taken offence to this. His original program, EDA2, was designed to illustrate how ransomware works and he intentionally included a backdoor to ensure that the data could be unencrypted.

He has used that backdoor to break into the program and has obtained the complete list of decryption keys and posted them to the net, The Register has a link to that list right here. It is good for the soul to see incompetent bad guys every once and a while.

"A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware."

Lenovo chose the third most popular password of 2015 to secure its ShareIT for Windows application and for bonus points have made it hard coded, which there is utterly no excuse for in this day and age. If you aren't familiar with the software, it is another Dropbox type app which allows you to share files and folders, apparently with anyone now that this password ridiculousness has been exposed. As you read on at The Inquirer the story gets even better, files are transferred in the clear without any encryption and it even creates an open WiFi hotspot for you, to make sharing your files even easier for all and sundry. There are more than enough unintentional vulnerabilities in software and hardware, we really don't need companies programming them in on purpose. If you have ShareIT, you should probably DumpIT.

***Update***

We received word that there is an updated version of ShareIT available for those who do use the app and would like to continue to do so.

They can also access the latest versions which are posted and available for download on the Lenovo site. The updated Android version of SHAREit is also available for download on the Google Play store. Please visit the Lenovo security advisory page for the latest information and updates: (https://support.lenovo.com/us/en/product_security/len_4058)

"HOLY COW! Lenovo may have lost its mind. The firm has created vulnerabilities in ShareIT that could be exploited by anyone who can guess that '12345678' could be a password."

You would think people would be be taken aback if someone suggested saving money by using the same key on every new house built in a neighbourhood, if so you don't work for companies developing hardware for the Internet of Things. In a recent survey of 4,000 embedded devices from 70 hardware makers, Sec Consult found that many had the same hardwired SSH login keys and server-side SSL certificates. The numbers they provided The Register were a total 580 private keys were found distributed over all the analyzed devices, of which at least 230 are in already in use on the internet. To be fair this is not uncommon in consumer level firmware as companies do not even bother to check over the source code let alone change the security keys held within but it is a huge security risk. For a glimpse at how bad some of these supposedly secure certs and keys are read on at The Register.

"Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned."

In the next installment of poorly planned out moves by a US government agency attempting to solve a problem that does not exist, we shall see an attempt to make illegal the modification of the firmware on any device which contains an radio. This is likely to prevent you from using open source software to modify your wireless router into a death ray which will allow you to take over the planet.

Specifically, it will make illegal the modification of any device which can broadcast on U-NII bands which happen to include the 5GHz bandwidth that WiFi broadcasts on. While most firmware changes, such as dd-wrt only change the processor the routers are SoC's which means that the radio is technically a part of the same device as what you modify when applying custom firmware. Hack a Day has links to the FCC proposal, you might want to consider emailing your congress critters about it.

"Because of the economics of cheap routers, nearly every router is designed around a System on Chip – a CPU and radio in a single package. Banning the modification of one inevitably bans the modification of the other, and eliminates the possibility of installing proven Open Source firmware on any device."

In a lack of foresight that will not take anyone working professionally in IT by surprise, 70% of business are ignoring the fact that Windows Server 2003 hits EoL next Tuesday. The belief that what your clients don't know won't hurt them is endemic in the business world and this is yet more proof of that philosophy. Most businesses sign agreements guaranteeing their clients data will be stored securely and using an unsupported OS over a decade old stretches the definition of secure storage far beyond the breaking point. Your bank, your payroll company, your government, even your ISP and telephone provider are all likely to be guilty of this and you should be aware of that. It does not mean that there will be a sudden outbreak of attacks next week, instead it will be a slow rise in the number of security breaches and leaks as more and more exploits are discovered and never patched. The Inquirer does not have the numbers on how many companies are taking Microsoft's offer of support for Server 2003 beyond Tuesday for $600 per server but you can bet that the uptake is a tiny percentage of the 70%. Much like the proverbial frog, people will not notice the slow rise in security breaches until the damage is already irreversible.

"WE'RE AT T-MINUS four days and counting, and a new survey suggests that as many as 70 percent of businesses are going to miss the deadline for upgrading from Windows Server 2003."

This has been a bad week for the secure socket layer and the news just keeps getting worse. Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider. It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default. Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones. That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site.

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution. The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.